Public key infrastructure exchange using netconf for Openflow enabled switches

ABSTRACT

Generating PKI credentials for authenticating a networking appliance attempting to attach to a network includes: receiving a certificate signing request (CSR) from the networking appliance, wherein the CSR comprises credential data associated with an identity of the networking appliance; generating an appliance certificate based on the credential data and a certificate authority (CA) certificate associated with the computer; and returning the appliance certificate to the networking appliance.

BACKGROUND

The present disclosure relates generally to operation of a softwaredefined networking (SDN) controller and, more particularly, to securityfeatures of an SDN controller.

In a computer network, network switching devices (switches) interconnectto form a path for transmitting information between an originator and arecipient. A routing mechanism, or protocol, defines switching logicthat forwards the transmitted information in the form of packets betweenthe switches as a series of “hops” along a path. At each switch, theswitching logic identifies the next switch, or hop, in the path using anidentifier such as a Media Access Control (MAC) address. Shortest PathBridging (SPB) is a routing mechanism having switching logic such thateach switch advertises the nodes it knows about to all the otherswitches, and eventually all the switches in the network have the samepicture of the network and therefore can forward frames to the next hopalong a shortest path.

In a conventional router or switch, the fast packet forwarding (datapath) and the high level routing decisions (control path) occur on thesame device. An OpenFlow Switch separates these two functions. The datapath portion still resides on the switch, while high-level routingdecisions are moved to a separate controller, typically a standardserver. The OpenFlow Switch and Controller communicate via the OpenFlowprotocol, which defines messages, such as packet-received,send-packet-out, modify-forwarding-table, and get-stats.

The data path of an OpenFlow Switch presents a clean flow tableabstraction; each flow table entry contains a set of packet fields tomatch, and an action (such as send-out-port, modify-field, or drop).When an OpenFlow Switch receives a packet it has never seen before, forwhich it has no matching flow entries, it sends this packet to thecontroller. The controller then makes a decision on how to handle thispacket. It can drop the packet, or it can add a flow entry directing theswitch on how to forward similar packets in the future.

In simpler terms, OpenFlow allows the path of network packets throughthe network of switches to be determined by software running on multiplerouters (minimum two of them—primary and secondary—has a role ofobservers). This separation of the control from the forwarding allowsfor more sophisticated traffic management than is feasible using accesscontrol lists (ACLs) and routing protocols.

The OpenFlow protocol can also be referred to as a software-definednetworking (SDN) protocol. As alluded to above, an SDN protocol differsin at least one respect from a more traditional protocol in that theswitching devices can be relatively low cost and so-called “dumb”switching devices that do not have much if any built-in routing logic.Instead, the switching devices are programmed and controlled by anexternal network fabric controller device over a programming pathdifferent than the data path and/or the control path of the network. TheOpenFlow protocol is maintained by the Open Networking Foundation ofPalo Alto, Calif., such that a corresponding network fabric controllerdevice is referred to as an OpenFlow network controller. Switching andother network devices are likewise referred to as OpenFlow networkdevices.

A disadvantage of the OpenFlow protocol in particular is that anyOpenFlow network device can join an OpenFlow network. This isproblematic, because malicious such devices may easily join existingOpenFlow networks by communicating with the OpenFlow network controllerscontrolling these OpenFlow networks. The OpenFlow protocol provideslittle protection against untrusted OpenFlow network devices becomingpart of an OpenFlow network.

BRIEF SUMMARY

One aspect of the present disclosure relates to a computer implementedmethod for generating PKI credentials for authenticating a networkingappliance attempting to attach to a network. The method includes:receiving, by the computer, a certificate signing request (CSR) from thenetworking appliance, wherein the CSR comprises credential dataassociated with an identity of the networking appliance; generating, bythe computer, an appliance certificate based on the credential data anda certificate authority (CA) certificate associated with the computer;and returning, by the computer, the appliance certificate to thenetworking appliance.

Another aspect of the present disclosure relates to a system forgenerating PKI credentials for authenticating a networking applianceattempting to attach to a network that includes a memory device storingexecutable instructions; and a processor in communication with thememory device. In particular, executing the executable instructions bythe processor causes the processor to: receive a certificate signingrequest (CSR) from the networking appliance, wherein the CSR comprisescredential data associated with an identity of the networking appliance;generate an appliance certificate based on the credential data and acertificate authority (CA) certificate associated with the computer; andreturn the appliance certificate to the networking appliance.

Embodiments of the present disclosure relate to the interaction betweenan open network adapter (ONA) and an SDN Controller. Specifically, therelevant interactions relate to when the ONA is first on-boarded ontothe network fabric. The SDN Controller can use OpenDaylight to establishan OpenFlow-based communication with the ONA. Other aspects of thedisclosure relate to how OpenDaylight can interface with a cluster ofSDN controllers operating as a single, virtual controller.

One embodiment relates to a method of utilizing the netconfconfiguration interface to exchange the messages via a netconf sessionthat occurs when the ONA first boots up. The YANG data model of the ONAis extended to include additional model elements of:“certificate-signing-request”; “switch-cert”, and “cacert”. Theinclusion of these new elements allow additional RPC messages to begenerated as part of the netconf conversation. The new messages allow:

a) the OpenDaylight component (ODL) to instruct the ONA to generate aCertificate Signing Request (CSR);

b) the ONA to deliver a CSR with the ONA public key and a portion signedby the ONA private key; and

c) the OpenDaylight component to deliver the ONA their public key backwhich has been signed by the private key of the SDN Controller.

The details of this embodiment relate to a particular multistageprotocol between the ONA, the SDN Controller, and the OpenDaylightcomponent.

At the end of the exchange, the following improvements have beenaccomplished:

a) the ONA will have a unique private key;

b) that ONA private key will have never been outside the control of theONA; and

c) the ONA will have an identity certificate that has been signed by theSDN Controller.

A second embodiment can involve dual authentication of the ONA after theinitial provisioning of the certificates discussed in the earlierembodiment. When the ONA has the needed certificate from the SDNController, then the ONA can participate in an authentication schemewith the OpenDaylight component that relies on a primary authenticationmethod which is identity certificate verification. This embodimentrelates to a particular protocol that begins with initiating a OpenFlowsession over TLS which relies on the ONA providing a signed certificatewhich the OpenDaylight component (ODL) can then authenticate with theprivate key of the SDN Controller. The OpenFlow initiation can thencomplete once the certificate has been authenticated. Secondly, the ONAinitiates a Netconf session over a secure shell tunnel by providing thesigned certificate to the ODL component which can then be authenticatedwith the private key of the SDN Controller. The initiation of theNetconf session can then be completed once the certificate has beenverified. Once that first stage of authentication has taken place, theOpenDaylight component and a management app can perform the steps tohandle a ONA request to attach to the network and to authenticate thatattach request event with the serial number of the ONA from a database.The ONA can then be activated. At this stage two communications pathsare active between the ONA and the OpenDaylight component: an OpenFlowsession over TLS and a Netconf session over SSH tunnel.

A third embodiment looks at the process at the system-wide level asinvolving a general 3-step workflow of how to on-board a new ONA ontothe network by actions performed by a customer and not relying oninstalling PKI certificates on each ONA during the manufacturingprocess. The first step involves a physical step in which the MACaddress and serial number of the ONA are captured, for example, by a QRreader and added to the databases maintained by the SDN Controller. Thesecond step is a PKI generation and certificate exchange during theinitial boot of the ONA when it has first been attached to the network.The public and private keys for the ONA are generated in such a way thateach ONA will have a unique private key. As the initial boot processcontinues, the ONA and the SDN Controller exchange messages using anaugmented version of netconf to provide the ONA public key to the SDNController. The SDN Controller acts as a certificate authority, signsthe public key and returns the signed certificate to the ONA. As thefinal step in the 3-step process, the ONA can first authenticate anOpenFlow session and a Netconf session using the signed certificate.Upon successful verification using the signed certificate, the ONA canbe authenticated by the OpenDaylight component using the ONA's serialnumber. At this stage, the ONA can be set as active and that statusreflected in a management application used by the customer.

BRIEF DESCRIPTION OF THE DRAWINGS

So the manner in which the above recited features of the presentdisclosure can be understood in detail, a more particular description ofembodiments of the present disclosure, briefly summarized above, may behad by reference to embodiments, which are illustrated in the appendeddrawings. It is to be noted, however, the appended drawings illustrateonly typical embodiments encompassed within the scope of the presentdisclosure, and, therefore, are not to be considered limiting, for thepresent disclosure may admit to other equally effective embodiments.

FIG. 1 illustrates an example network environment in which a device canbe attached to an SDN network in accordance with the principles of thepresent disclosure.

FIG. 2 illustrates a block-level view of an SDN controller and a networkadapter in accordance with the principles of the present disclosure.

FIG. 3A and FIG. 3B illustrate a more detailed view of functional blocksof the SDN controller of FIG. 2.

FIG. 4 illustrates a protocol diagram of one stage of attaching a deviceto a SDN controller in accordance with the principles of the presentdisclosure.

FIG. 5A and FIG. 5B illustrate alternative techniques for initiating acertificate signing request (CSR) in accordance with the principles ofthe present disclosure.

FIG. 6 illustrates a protocol diagram of a second stage of attaching thedevice to the SDN controller in accordance with the principles of thepresent disclosure.

FIG. 7A illustrates a protocol diagram of a third stage of attaching thedevice to the SDN controller in accordance with the principles of thepresent disclosure.

FIG. 7B illustrates a three-step workflow for onboarding a networkdevice in accordance with the principles of the present disclosure.

FIG. 8 illustrates an example YANG tree of a network adapter inaccordance with the principles of the present disclosure.

FIG. 9-FIG. 14 illustrate examples of netconf messages that facilitatean exchange of public key infrastructure (PKI) certificates inaccordance with the principles of the present disclosure.

FIG. 15 illustrates an example computer platform that can host either ofthe SDN controller or the network adapter in accordance with theprinciples of the present disclosure.

DETAILED DESCRIPTION

General Language Usage

The term “a” or “an” entity refers to one or more of that entity. Assuch, the terms “a” (or “an”), “one or more” and “at least one” can beused interchangeably herein. It is also to be noted that the terms“comprising”, “including”, and “having” can be used interchangeably.

The term “automatic” and variations thereof, as used herein, refers toany process or operation done without material human input when theprocess or operation is performed. However, a process or operation canbe automatic, even though performance of the process or operation usesmaterial or immaterial human input, if the input is received beforeperformance of the process or operation. Human input is deemed to bematerial if such input influences how the process or operation will beperformed. Human input that consents to the performance of the processor operation is not deemed to be “material.”

As used herein, the term “transmitter” may generally comprise anydevice, circuit, or apparatus capable of transmitting a signal. As usedherein, the term “receiver” may generally comprise any device, circuit,or apparatus capable of receiving a signal. As used herein, the term“transceiver” may generally comprise any device, circuit, or apparatuscapable of transmitting and receiving a signal. As used herein, the term“signal” may include one or more of an electrical signal, a radiosignal, an optical signal, an acoustic signal, and so forth.

The term “computer-readable medium” as used herein refers to anytangible storage and/or transmission medium that participates in storingand/or providing instructions to a processor for execution. Such amedium may take many forms, including but not limited to, non-volatilemedia, volatile media, and transmission media. Non-volatile mediaincludes, for example, NVRAM, or magnetic or optical disks. Volatilemedia includes dynamic memory, such as main memory. Common forms ofcomputer-readable media include, for example, a floppy disk, a flexibledisk, hard disk, magnetic tape, or any other magnetic medium,magneto-optical medium, a CD-ROM, any other optical medium, punch cards,paper tape, any other physical medium with patterns of holes, RAM, PROM,EPROM, FLASH-EPROM, solid state medium like a memory card, any othermemory chip or cartridge, a carrier wave as described hereinafter, orany other medium from which a computer can read. A digital fileattachment to e-mail or other self-contained information archive or setof archives is considered a distribution medium equivalent to a tangiblestorage medium. When the computer-readable media is configured as adatabase, it is to be understood that the database may be any type ofdatabase, such as relational, hierarchical, object-oriented, and/or thelike. Accordingly, the disclosure is considered to include a tangiblestorage medium or distribution medium and prior art-recognizedequivalents and successor media, in which the software implementationsof the present disclosure are stored.

The terms “determine”, “calculate” and “compute,” and variationsthereof, as used herein, are used interchangeably and include any typeof methodology, process, mathematical operation or technique.

The term “module” as used herein refers to any known or later developedhardware, software, firmware, artificial intelligence, fuzzy logic, orcombination of hardware and software that is capable of performing thefunctionality associated with that element. Also, while the presentdisclosure is described in terms of exemplary embodiments, it should beappreciated those individual aspects of the present disclosure can beseparately claimed.

Example Environment

FIG. 1 illustrates an example network environment in which a device canbe attached to an SDN network in accordance with the principles of thepresent disclosure. To aid in the understanding of the presentdisclosure the example environment is described in the context of ahealthcare provider environment. In particular, one example of an SDNcontroller 104 is an Avaya® SDN Fx Controller. Also, an example networkadapter 110 that can attach to an edge switch 106 of a shortest pathbridge (SPB) network 102 can include an Avaya® open network adapter(ONA). However, one of ordinary skill will readily recognize that thoseparticular devices in the example healthcare environment are merelyexamples and the present disclosure is not limited to those specificexamples.

The example environment 100 of FIG. 1 includes an ONA 110 which is anintelligent network appliance that is connected to a network-enableddevice 112 (e.g., a medical telemetry device) on one side and connectedto a network 102 on its other side. The network 102 can include a numberof switches (e.g., 106, 108) that are coupled together to establish anSPB network. The ONA 110 can, for example, connect to an Ethernet portof a switch 106 exposed at the edge of the network 102.

The ONA 110 can be a smart network appliance such as a microcontroller,or microprocessor, based device that contains an operating system suchas the Linux operating system with Open vSwitch. When programmed, theONA 110 provides many intelligent functions to support a broad range ofIoT-type devices (with an Ethernet port) that have traditionally beendifficult to control on the edge of the network 102. As known to one ofordinary skill in this field of endeavor, Open vSwitch is a feature-richopen-source virtual switch that provides automated network serviceprovisioning using Auto-Attach (IEEE draft 802.1Qcj) including aflexible range of traffic flow programming for forwarding, filtering,isolation, monitoring, queuing, shaping, and logging.

The SDN controller 104 provides the management of an SDN frameworkimplemented within the SPB network 102. The SDN controller 104 may be asoftware application operating on any standards-based server andperforms the following functions: a) assigns service profiles to ONA's;b) manages interfaces into SDN program environments; c) presentsinventory lists of devices connected to the ONAs; and d) exposesnorthbound and southbound API's. The SDN controller 104 may, forexample, perform these functions by utilizing an OpenDaylightmulti-protocol controller that manages all the services modules withinthe SDN framework. Using open protocols of NETCONF and OpenFlow fornetwork configuration, manager/services modules can be accessed via aprogrammable northbound or southbound API layer.

The SPB network 102 can be an Ethernet fabric technology based on IEEE802.1aq Shortest Path Bridging (MAC) network that dramaticallysimplifies network infrastructures by using just one protocol to delivervirtualized network services (network segments) across an entireenterprise. An example of such network technology is Avaya FabricConnect®. One of the key benefits of this technology is simplifiedoperations through fabric edge-layer-only provisioning, where the fabriccore becomes a “Zero-touch-core” that virtually eliminates the chance ofnetwork misconfiguration. Another key benefit of Fabric Connect® is trueservice segmentation of virtualized Layer 2 or Layer 3 services. Thisfunctionality enables the fabric to easily create and manage virtualservice networks segments that are invisible to IP scanning techniques.This is possible because Fabric Connect® does not use the IP protocol asa utility to establish service paths. This is referred to by Avaya asStealth Network Services. This virtualized framework can also beleveraged to provide secure separation in multi-tenant environments.

The virtualized framework of the SPB network 102 can also implementtechnology known as Avaya Fabric Attach®. Also known as Auto-Attach(IEEE Draft 802.1Qcj), Avaya Fabric Attach® creates plug-n-playon-boarding for network elements that do not natively run FabricConnect®. Fabric Attach extends Fabric Connect to deliver an “AutonomicEdge” capability that dramatically reduces the time and cost of addingnew or modifying existing services. Any Fabric Attach capable device(such as an Ethernet switch, WLAN Access Point, or OVS based device—ONA110) can be connected in a more secure fashion to the network,authorized, and request dynamic attachment to a new or existing networkservice instance. The ONA 110 can leverage Fabric Attach within OpenvSwitch to request automatic provisioning attachment to services(network segments). Thus, the environment depicted in FIG. 1 can usethis feature to fully automate network configuration and attachmentwithout the need to touch any network element.

In an example healthcare environment, a new medical device 112 canarrive at the healthcare organization. Using a smartphone application,for example, some IT personnel can scan a bar code of the medical device112 that identifies the medical device's serial number and MAC address.This information can then be recorded by the application into thehealthcare organization's database. Next, the ONA 110 can include aquick-response (QR) code such that an ONA QR code is scanned andinformation uploaded to a management application database for pairingwith the medical device 112. The information encoded in the QR code caninclude the ONA's MAC address, serial number, additional MAC addressesavailable to assign to the ONA, and similar data. For example, a modelnumber could be included to assist with automatic determination of thecapabilities and technical specifications of the ONA 110. Ultimately,network service information and communication rules for the medicaldevice 112 connected to the ONA 110 are configured in the managementapplication and the device 112 is ready for deployment.

The medical device 112 and ONA 110 are delivered to their intendedlocation. The ONA 110 may, for example, remain co-located with thepaired medical device 112 unless it needs to be reassigned to anotherdevice. The medical device Ethernet cable is plugged into the ONA deviceport and the ONA network port is plugged into an Ethernet switch port(e.g., switch 106). When fully booted, the ONA 110 signals the SDNController 104 which sends network service, profile, and security ruleinformation back to the ONA 110. If, for example, the networkinfrastructure is Avaya Fabric Connect running Fabric Attach at theedge, the ONA 110 signals the network to provision and connect it to itsisolated network segment. The medical device 112 is now able tocommunicate through the paired ONA 110 into a specifically assignednetwork segment.

If the medical device 112 needs to be physically moved to a newlocation, the Ethernet cable on the ONA network port is disconnectedfrom the switch 106, and the ONA 110 is relocated with the medicaldevice to the new location. Upon plugging the ONA 110 with its pairedmedical device 112 into, for example, an Ethernet wall-jack at the newlocation to reconnect with the switch 106 (or some other switch of thenetwork 102), the ONA 110 signals the SDN controller 104 to get itsprofile. The SDN Controller 104 sends network service, profile andsecurity rule information back to the ONA 110 as per the deploymentprocess. All services and rules are re-established, now at the newlocation. As the medical devices with their paired ONA's are moved todifferent locations, the management application follows the ONA andmedical device and registers the device status accordingly. Allregistered medical devices can be presented as an inventory list on themanagement application.

As described above, the ONA 110 appears as a controllable switch to theSDN controller 104. In general, the ONA 110 provides a field-deployableimplementation of Open vSwitch, facilitating network connectivity andautomating provisioning. Open vSwitch (OVS) is a virtual networkingplatform that delivers a software-definable solution for trafficforwarding, isolation and filtering, monitoring and traffic mirroring,queuing and shaping, and automating control. The vSwitch can beconsidered as the networking side of a Hypervisor implementation:Virtual Machines are provided with virtualized access to CPU, memory,disk, and also—via the vSwitch—to internal and external networks.

Using an Open vSwitch for the ONA 110, and utilizing OpenFlow in the SDNcontroller 104, are provided merely by way of example and one ofordinary skill would recognize other functionally equivalent appliancesand protocols can be used without departing from the scope of thepresent disclosure. The ONA 110 can include a hypervisor in which anumber of virtual switches operate. Open vSwitch is targeted atmulti-server virtualization deployments. These environments are oftencharacterized by highly dynamic end-points, the maintenance of logicalabstractions, and sometimes integration with or offloading to specialpurpose switching hardware. Open vSwitch has support for bothconfiguring and migrating both slow (configuration) and fast networkstate between instances. For example, if a virtual machine (VM) migratesbetween end-hosts, it is possible to not only migrate associatedconfiguration (SPAN rules, ACLs, QoS) but any live network state(including, for example, existing state which may be difficult toreconstruct). Further, Open vSwitch state is typed and backed by a realdata-model allowing for the development of structured automationsystems.

Open vSwitch's forwarding path (the in-kernel datapath) is designed tobe amenable to “offloading” packet processing to hardware chipsets,whether housed in a classic hardware switch chassis or in an end-hostNIC. This allows for the Open vSwitch control path to be able to bothcontrol a pure software implementation or a hardware switch. Anadvantage of hardware integration is not only performance withinvirtualized environments. If physical switches also expose the OpenvSwitch control abstractions, both bare-metal and virtualized hostingenvironments can be managed using the same mechanism for automatednetwork control. In many ways, Open vSwitch targets a different point inthe design space than previous hypervisor networking stacks, focusing onthe need for automated and dynamic network control in large-scaleLinux-based virtualization environments.

In particular, Open vSwitch supports OpenFlow as a method of exportingremote access to control traffic. There are a number of uses for thisincluding global network discovery through inspection of discovery orlink-state traffic (e.g., LLDP). Open vSwitch includes multiple methodsfor specifying and maintaining tagging rules, all of which areaccessible to a remote process for orchestration. This allows, forexample, thousands of tagging or address remapping rules to beconfigured, changed, and migrated.

OpenFlow is a protocol that allows a server to tell network switcheswhere to send packets. In a conventional network, each switch hasproprietary software that tells it what to do. With OpenFlow, thepacket-moving decisions are centralized, so that the network can beprogrammed independently of the individual switches and data centergear. In a conventional switch, packet forwarding (the data path) andhigh-level routing (the control path) occur on the same device. AnOpenFlow switch separates the data path from the control path. The datapath portion resides on the switch itself; a separate controller makeshigh-level routing decisions.

OpenFlow enables network controllers to determine the path of networkpackets across a network of switches. The controllers are distinct fromthe switches. This separation of the control from the forwarding allowsfor more sophisticated traffic management than is feasible using accesscontrol lists (ACLs) and routing protocols. Also, OpenFlow allowsswitches from different vendors—often each with their own proprietaryinterfaces and scripting languages—to be managed remotely using asingle, open protocol. OpenFlow allows remote administration of a layer3 switch's packet forwarding tables, by adding, modifying and removingpacket matching rules and actions. This way, routing decisions can bemade periodically or ad hoc by the controller and translated into rulesand actions with a configurable lifespan, which are then deployed to aswitch's flow table, leaving the actual forwarding of matched packets tothe switch at wire speed for the duration of those rules. Packets whichare unmatched by the switch can be forwarded to the controller. Thecontroller can then decide to modify existing flow table rules on one ormore switches or to deploy new rules, to prevent a structural flow oftraffic between switch and controller. It could even decide to forwardthe traffic itself, provided that it has told the switch to forwardentire packets instead of just their header. The OpenFlow protocol islayered on top of the Transmission Control Protocol (TCP), andprescribes the use of Transport Layer Security (TLS). Controllers shouldlisten on TCP port 6653 for switches that want to set up a connection.

FIG. 2 illustrates a block-level view of an SDN controller and a networkadapter in accordance with the principles of the present disclosure.Within the environment 100 described with respect to FIG. 1, this figuredepicts the major software components involved in the presentdisclosure: ONA 110, ODL component 206, SDN Engines 210, a managementapplication 212, and Cluster (or Clustering) Engines 214. As describedin detail below, due to the nature of ONA 110 interaction with ODL 206,ONA will utilize a client/server certificate which was signed by the SDNEngines 210 to secure the OpenFlow-over-TLS channel and Netconf-over-SSHtunnel. The certificate can be used for encrypting both communicationchannels but verification of the certificate before the key negotiationis accomplished. Although not discussed in detail, separate certificatescould be generated and exchanged for each of the SSH and the TLSsessions, respectively. Each certificate would be generated using amethod similar to that discussed herein and then would be stored in anappropriate keystore location. The SDN Engines 210 is where a private CA(Certificate Authority) will be hosted and issuing the certificate tothe ONAs during the ONA onboarding process. The Clustering Engines 214are the database replication service components for the private CA inthe SDN Engines 210. ODL 206 is the “gateway” software component forthis process which speaks ‘netconf’ 204 and OpenFlow 202 as south-boundAPIs to the ONA 110 and providing a RESTful API 208 as a north-bound APIto the SDN Engines 210 to orchestrate the below-described public keyinfrastructure (PKI) process. The SDN engines 210 have respectivecommunication paths 216, 218 with the management application 212 and thecluster engines 214.

One of ordinary skill will recognize that alternatives to PKI, netconfand ODL can be utilized without departing from the scope of the presentdisclosure. Also, as these protocols, techniques and standards arewell-known, only a brief description of each is provided below. However,it is intended that in accordance with the principles of the presentdisclosure, utilization of the full feature set of these conventionaltechnologies is available.

PKI and Certificate Signing Request

A public key infrastructure (PKI) is a set of roles, policies, andprocedures needed to create, manage, distribute, use, store, and revokedigital certificates and manage public-key encryption. The purpose of aPKI is to facilitate the secure electronic transfer of information for arange of network activities. It is used for activities where simplepasswords are an inadequate authentication method and more rigorousproof is required to confirm the identity of the parties involved in thecommunication and to validate the information being transferred.

In cryptography, a PKI is an arrangement that binds public keys withrespective identities of entities (like persons and organizations). Thebinding is established through a process of registration and issuance ofcertificates at and by a certificate authority (CA). Depending on theassurance level of the binding, this may be carried out by an automatedprocess or under human supervision.

In public key infrastructure (PKI) systems, a certificate signingrequest (also CSR or certification request) is a message sent from anapplicant to a certificate authority in order to apply for a digitalidentity certificate. Before creating a CSR, the applicant firstgenerates a key pair, keeping the private key secret. The CSR containsinformation identifying the applicant (such as a distinguished name inthe case of an X.509 certificate) which must be signed using theapplicant's private key. The CSR also contains the public key chosen bythe applicant. The CSR may be accompanied by other credentials or proofsof identity required by the certificate authority, and the certificateauthority may contact the applicant for further information. The threemain parts that a certification request consists of are thecertification request information, a signature algorithm identifier, anda digital signature on the certification request information. The firstpart contains the significant information, including the public key. Thesignature by the requester prevents an entity from requesting a boguscertificate of someone else's public key. Thus the private key is neededto produce, but it is not part of, the CSR.

NETCONF and YANG

The NETCONF protocol [RFC6241] is an XML-based protocol used to managethe configuration of networking equipment. NETCONF is defined to besession-layer and transport independent, allowing mappings to be definedfor multiple session-layer or transport protocols. NETCONF can be usedwithin a Secure Shell (SSH) session, using the SSH connection protocol[RFC4254] over the SSH transport protocol [RFC4253]. This mapping willallow NETCONF to be executed from a secure shell session by a user orapplication.

Although this document gives specific examples of how NETCONF messagesare sent over an SSH connection, use of this transport is not restrictedto the messages shown in the examples below. This transport can be usedfor any NETCONF message.

To run NETCONF over SSH, the client will first establish an SSHtransport connection using the SSH transport protocol, and the clientand server will exchange keys for message integrity and encryption. Theclient will then invoke the “ssh-userauth” service to authenticate theuser, as described in the SSH authentication protocol [RFC4252]. Oncethe user has been successfully authenticated, the client will invoke the“ssh-connection” service, also known as the SSH connection protocol.

After the ssh-connection service is established, the client will open achannel of type “session”, which will result in an SSH session. Once theSSH session has been established, the user (or application) will invokeNETCONF as an SSH subsystem called “netconf”. Subsystem support is afeature of SSH version 2 (SSHv2) and is not included in SSHv1. RunningNETCONF as an SSH subsystem avoids the need for the script to recognizeshell prompts or skip over extraneous information, such as a systemmessage that is sent at shell start-up.

However, even when a subsystem is used, some extraneous messages may beprinted by the user's start-up scripts. In order to allow NETCONFtraffic to be easily identified and filtered by firewalls and othernetwork devices, NETCONF servers default to providing access to the‘netconf’ SSH subsystem only when the SSH session is established usingthe IANA-assigned TCP port <830>. But, servers may also be configurableto allow access to the netconf SSH subsystem over other ports.

A user (or application) could use the following command line to invokeNETCONF as an SSH subsystem on the IANA-assigned port:

[user@client]$ ssh -s server.example.org-p <830> netconf

A NETCONF over SSH session consists of the manager and agent exchangingcomplete XML documents. Once the session has been established andcapabilities have been exchanged, the manager will send complete XMLdocuments containing <rpc> elements to the server, and the agent willrespond with complete XML documents containing <rpc-reply> elements.

The base protocol defines the following protocol operations:

Operation Description <get> Retrieve running configuration and devicestate information <get-config> Retrieve all or part of a specifiedconfiguration datastore <edit-config> Edit a configuration datastore bycreating, deleting, merging or replacing content <copy-config> Copy anentire configuration datastore to another configuration datastore<delete-config> Delete a configuration datastore <lock> Lock an entireconfiguration datastore of a device <unlock> Release a configurationdatastore lock previously obtained with the <lock> operation<close-session> Request graceful termination of a NETCONF session<kill-session> Force the termination of a NETCONF session

Basic NETCONF functionality can be extended by the definition of NETCONFcapabilities. The set of additional protocol features that animplementation supports is communicated between the server and theclient during the capability exchange portion of session setup.Mandatory protocol features are not included in the capability exchangesince they are assumed. RFC 4741 defines a number of optionalcapabilities including :xpath and :validate.

A capability to support subscribing and receiving asynchronous eventnotifications is published in RFC 5277. This document defines the<create-subscription> operation, which enables creating real-time andreplay subscriptions. Notifications are then sent asynchronously usingthe <notification> construct. It also defines the :interleavecapability, which when supported with the basic :notification capabilityfacilitates the processing of other NETCONF operations while thesubscription is active.

A capability to support partial locking of the running configuration isdefined in RFC 5717. This allows multiple sessions to editnon-overlapping sub-trees within the running configuration. Without thiscapability, the only lock available is for the entire configuration.

A capability to monitor the NETCONF protocol is defined in RFC 6022.This document contains a data model including information about NETCONFdatastores, sessions, locks, and statistics that facilitates themanagement of a NETCONF server. It also defines methods for NETCONFclients to discover data models supported by a NETCONF server anddefines the <get-schema> operation to retrieve them.

The NETCONF messages layer provides a simple, transport-independentframing mechanism for encoding a) RPC invocations (<rpc> messages), b)RPC results (<rpc-reply messages), and c) event notifications(<notification> messages). Every NETCONF message is a well-formed XMLdocument. An RPC result is linked to an RPC invocation by a message-idattribute. NETCONF messages can be pipelined, i.e., a client can invokemultiple RPCs without having to wait for RPC result messages first. RPCmessages are defined in RFC 6241 and notification messages are definedin RFC 5277.

In the present disclosure, the ONA 110 can use NETCONF as its configdata center and also as its management interface. For example, the ONA110 can use tail-f's implementation of confd as a NETCONF server and tohandle configuration and monitoring requests from internal and externalNETCONF clients such as ODL 206. Tail-f's ConfD is a deviceconfiguration toolkit meant to be integrated as a management sub-systemin network devices, providing a) an implementation of the NETCONFprotocol, b) automatic rendering of northbound interfaces, includingCLI, Web UI and NETCONF, c) clustered/fault-tolerant storage ofconfiguration data, and d) master-agent/sub-agent framework for NETCONF,CLI, Web UI and SNMP. In particular, ConfD executes as a regular UNIXdaemon on the target device, acting as: a) a NETCONF agent for theNETCONF protocol, b) a Web server for the Web UI, c) a CLI engine forcommand-line access, and d) as an SNMP agent. It also contains abuilt-in XML configuration database.

“YANG” is a data modeling language for the NETCONF network configurationprotocol. The name is an acronym for “Yet Another Next Generation”. TheYANG data modeling language was developed by the NETMOD working group inthe Internet Engineering Task Force (IETF) and was published as RFC 6020in October 2010. The data modeling language can be used to model bothconfiguration data as well as state data of network elements.Furthermore, YANG can be used to define the format of eventnotifications emitted by network elements and it allows data modelers todefine the signature of remote procedure calls that can be invoked onnetwork elements via the NETCONF protocol.

YANG is a modular language representing data structures in an XML treeformat. The data modeling language comes with a number of built-in datatypes. Additional application specific data types can be derived fromthe built-in data types. More complex reusable data structures can berepresented as groupings. YANG data models can use XPATH expressions todefine constraints on the elements of a YANG data model.

Returning to FIG. 2, the software executing on the ONA 110 may utilizestable open source software wherever appropriate such as, for example,Netconf Confd as data central and Open vSwitch as a datapath flowcontrol. The software can run as a pure software application on Linux oras an embedded hardware switch controller in a physical switch. Ingeneral, the software provides layer 2 and layer 3 networking protocolsupport with or without a separate network controller like Open Daylight(ODL).

FIG. 3A and FIG. 3B illustrate a more detailed view of functional blocksof the SDN controller of FIG. 2. FIG. 3A provides details about the SDNEngines 210. For example, the SDN Engines 210 include a CertMgr 302which is a software component that will play a role as a private CA inthe controller 104. CertMgr 302 will communicate with ODL 206 toinitiate the CSR request and push down the signed client/servercertificate back to ONA 110 through an ODL REST API call. All theartifacts which are used to generate the signed certificate can bestored in database through a DBaaS component 304. There is also asoftware component in the ODL OS platform which will configure the ODL206 to use the CA certificate during the TLS key negotiation. Inparticular, “OS:config agent” will receive the CA certificate which isgenerated by CertMgr and be able to configure the ODL 206 to use thecertificate to verify the client/server certificate from the ONA 110.

FIG. 3B provides further details about the clustering engines 214.MNESIA MMDB 310 is the distributed Main Memory Database which stores allcertificate information and is replicated to other cluster members.Registry 308 is the overlay to the MNESIA MMDB 310 to provide high levelabstraction of the DBMS and also provide subscription and notificationservice. RabbitMQ 306 is an AMQP implementation in Erlang/OTP that canbe used for seamless and high performing integration with SDN Engines210 which is written in Java.

FIG. 4 illustrates a protocol diagram of one stage of attaching a deviceto a SDN controller 104 in accordance with the principles of the presentdisclosure. In accordance with FIG. 4, an administrative, or IT, memberhas a QR scanner 402 available. The QR scanner 402 can connect to themanagement application 212 of the SDN controller 104. The IT memberlaunches a scanner app, in step 404, and begins a scan operation in step406 as instructed by the app 212. A QR code that is displayed (step 408)on the ONA 110 is captured in step 410 and delivered, in step 412, tothe SDN Engines 210. The QR code can encode the MAC address and theserial number of the ONA 110. The SDN Engines 210 stores, in step 414,the information in the database of the cluster engines 214. The storedinformation can be replicated, as well, by the cluster engines 214 instep 416. In step 418, the SDN engines 210 informs the managementapplication 212 of a successful scan and store which, in turn, informsthe IT member of the success in step 420. The IT member can thenconfirm, in step 422, the information in the “success” message with thephysical ONA device 110.

As described in detail below, once the ONA 110 is cataloged with the SDNengines 210, it can be deployed within an enterprise such as the examplehealthcare environment described earlier. Once deployed (e.g., pairedwith a medical device 112), the ONA 110 will perform an initial boot-upprocedure to generate a PKI certificate for further use.

FIG. 5A and FIG. 5B illustrate alternative techniques for initiating acertificate signing request (CSR) in accordance with the principles ofthe present disclosure. In FIG. 5A, the ONA 110 initiates an Openflowhandshake over TCP with the ODL component 206. The ODL component 206then generates an “attach notification” event which it sends to the SDNengines 210. The notification allows the SDN engines 210 to start aprocess to authenticate the serial number of the ONA 110. Initially, theSDN engines 210 checks to determine if a signed client certificate forthe ONA 110 exists. If the certificate does not exist, the SDN enginesstarts a process to initiate a CSR request.

In the alternative of FIG. 5B, the ONA 110 can be controlled by an ITmember, through the SDN engines 210 to generate a CSR. Using themanagement application 212, for example, the IT member can display thecertificate status for an ONA and initiate a CSR request using the RESTAPI 208 to communicate with the ODL component 206. The ODL component 206instructs the ONA 110 to generate a CSR by sending an appropriateNETCONF message. The ODL 206 receives the generated CSR via NETCONF andprovides it to the SDN engines 210. Thus, it is possible to initiate theCSR request through the SDN controller's WebUI. This use case can bestarted even if the ONA 110 is already provisioned with a clientcertificate. The IT member can override the existing status and startthe CSR request process. On receiving of a CSR request from the SDNEngines 210, the ONA 110 can regenerate the CSR request and overwritethe existing client certificate when it is successfully delivered.

FIG. 6 illustrates a protocol diagram of a second stage of attaching thedevice to the SDN controller 104 in accordance with the principles ofthe present disclosure. The protocol diagram of FIG. 6 aligns with theprocess described with respect to FIG. 5A and provides additionaldetails. As a general overview, the process of FIG. 6 is initiated bythe ONA 110 when it first boots up. When the ONA 110 and the ODL 206attempt the first serial number based authentication, the SDN Engines210 checks whether a client certificate was previously issued or not forthe ONA 110. If the ONA 110 has not been issued a client certificate,then a configuration manager portion of the SDN engines 210 can initiatethe CSR request process through a CertMgr REST API call to the ODL 206.

In accordance with FIG. 6, there is no administrator intervention inthis auto CSR signing process. The ONA 110 generates the key-pair duringthe very first boot. When the initial Openflow connection is made forthe first time, the SDN Engines 210 will check the ONA information inthe device inventory and check to see if an ONA client certificate hasbeen signed or not. If it was not, then the SDN Engines 210 initiatesthe CSR request to the ONA 110 through the REST API 208 provided by theODL 206. On receiving of the CSR Request in the ODL 206, the ODL 206initiates the NETCONF communication to the ONA 110 to start a CSRrequest. In response, the ONA 110 will return a CSR to the ODL 206. TheCSR will be transferred back to SDN Engines CertMgr. The CertMgr willprocess the CSR and sign the CSR. The SDN engines 210 returns the clientcertificate back to the ONA 110 through the ODL REST API. Once theclient certificate is delivered to the ONA 110, the ONA 110 saves it inpermanent storage. In addition, the SDN Engines CertMgr will transferthe CA cert to the ODL 206 which will be used to verify the clientcertificate later on to be placed in an ODL key store.

For the certificate authentication support described herein, newelements are added into ONA YANG data model. One example new element—CSRis added in ONA YANG model as a configuration data which can be queriedby using the NETCONF get command with xpath filters. In particular, FIG.8 depicts a partial YANG tree 800 for the ONA 110. The tree 800 hasthree added elements 802, 804 and 806 that relate to the principles ofthe present disclosure. The certificate which the ONA can use in anauthentication process is element 804. The public key of the SDN engines210 is element 806 and may be used by the ONA 110 for sending messagesthat can only be unencrypted by using the SDN engines' private key. TheCSR-related element is element 802. These elements are defined in theONA YANG data model as configuration data under <system>. Thus, theseelements can be set by using NETCONF edit-config command. The values canalso be accessed by get-config or get commands with an xpath filter.

The steps 602-618, other than step 608, relate to standard steps ofconnecting an ONA 110 with the SDN controller 104. In step 608, the ONA110 generates a key pair as part of its initialization of the SSHconnection.

Additionally, when the SDN engines 210 receive the ONA activationrequest of step 618, the SDN engines 210 can check whether the ONA 110already has a signed certificate associated with its serial number.Steps 620-644 assume that the ONA 110 has no certificate yet.

In step 620 the SDN engines 210 instructs the ODL component 206 torequest a CSR from the ONA 110. The ODL component 206, in step 622,instructs the ONA 110 to generate a CSR. This causes the ONA 110 togenerate, in step 624, a CSR which includes the portion signed by theprivate key of the ONA 110 and to return the CSR, in step 626, to theODL component 206. The CSR is delivered to the SDN engines 210, in step628, so that it can be saved in the cluster engines, in step 630. TheSDN engines 210 then uses the private key of the SDN controller to signthe public key of the ONA 110, in step 632. The signed public key is nowa credential, or certificate, that is tied to the ONA 110 and, as such,it is saved in the cluster engines 214, in step 634. The SDNcontroller's public key (referred to in step 636 as the “CAcertificate”) along with the signed public key are pushed from the SDNengines 210 to the ODL component 206, in steps 636 and 638,respectively. The ODL component 206 delivers, in step 640, the signedpublic key to the ONA 110 which can then save it (step 642) and reboot(step 644).

As shown in FIG. 6, steps 622, 626, 640 and 642 occur using NETCONF.FIG. 9 shows a NETCONF message which the ODL component 206 can send tothe ONA 110 to instruct the ONA 110 to generate a CSR. Upon receivingthe message 902, the ONA 110 will generate a CSR and return it to theODL component 206 in a NETCONF reply message. FIG. 10 illustrates aNETCONF message 1002 that can be sent by the ODL component 206 to theONA 110 in order to set the “switch-cert” and “cacert” elements of theYANG model shown in the tree 800 of FIG. 8. The example message 1002 hasan entry for both the cacert and the switch-cert but these elementscould be sent in separate messages as well. In an actual NETCONF messagefor this purpose, the body of each of the two XML data elements wouldcontain the respective credentials. The “switch-cert” is the signedpublic key of the ONA 110 that was returned by the ODL component 206 instep 640 of FIG. 6. The “cacert” is the public key of the SDN controller104 (i.e., the CA) and is not shown in any particular step of FIG. 6 asbeing returned to the ONA 110.

In response to receiving the message 1002 of FIG. 10, the ONA 110 cansend, for example, an “OK” message 1102 as shown in FIG. 11 or an errormessage 1202 as shown in FIG. 12.

FIG. 13 illustrates an example NETCONF message that can be sent by theODL component 206 to the ONA 110 to request the ONA 110 to provide its“switch-cert”. In reply, the ONA 110 can generate the message 1402 asshown in FIG. 14.

FIG. 7 illustrates a protocol diagram of a third stage of attaching theONA 110 to the SDN controller in accordance with the principles of thepresent disclosure. In accordance with the process depicted in FIG. 7, adual-factor authentication is performed using a) a uniquely generatedclient certificate which was tied to only one particular ONA as firstfactor and b) a uniquely provisioned serial number as second factor.Once the processes depicted in FIG. 4 and FIG. 6 are completed, the ONA110 is in a state where:

a) the ONA was physically verified by the customer during the onboardingprocess,

b) the ONA serial number was programmed by the customer in to the SDNController, and

c) a unique ONA client certificate was signed by SDN Controller andprovisioned back to the ONA.

Now, when the ONA 110 initiates the Openflow Handshake over TLS, duringTLS key negotiation time, the ONA 110 presents the client certificatewhich was signed by SDN Controller 104. The ODL component 206 of the SDNcontroller 104 verifies the client certificate using the stored CAcertificate. On success of verification, the SDN Controller's ODLcomponent 206 completes the TLS key negotiation and all traffic from theONA 110 will be encrypted with the negotiated key. On success of theOpenFlow Handshake and NETCONF-over-SSH, the ONA 110 is mounted to theODL component 206 of the SDN controller 104. Then the ONA AttachNotification will be delivered to the SDN Engines 210 by the ODLcomponent 206. Afterwards, the SDN Engines 210 will use the serialnumber of the ONA 110, which was delivered as part of the AttachNotification, to authenticate the ONA 110.

In the above-described process, the ONA 110 can use its certificate forthree purposes: a) OpenFlow-over-TLS, b) NETCONF-over-SSH and c) Web UIin manufacturing mode. However, the role of the ONA 110 during therespective key negotiations is different among those cases:

USE CASE ROLE OpenFlow-over-TLS Client Netconf-over-SSH Server WebUIClient

According to the process of FIG. 7A, the ONA 110 initiates the OpenFlowover TLS handshake, in step 702, by sending its “switch-cert”certificate which the ODL component 206 can verify, in step 704, usingthe CA certificate it received in step 636 of FIG. 6. Upon successfulcertificate verification, the ODL component 206, in step 706, completesthe OpenFlow initiation which causes the ONA 110 to send an OpenFlowHello message, in step 709. The ODL component 206 then completes theOpenFlow handshake in step 710. The ODL component 206 then starts aNETCONF-over-SSH session (or tunnel), in step 712, which causes the ONA110 to send its “switch-cert” certificate again, in step 714 so that itcan be verified in step 716. Upon successful certificate verification,the ODL component completes the NETCONF negotiation process, in step717.

Successful certificate verification also causes the ODL component toissue, in step 718, an ONA attach event to the SDN engines 210 whichincludes a serial number and MAC address of the ONA 110. The SDN engines210 delivers the attach event to the management application 212, in step720 which then requests, in step 722, serial number information from thecluster engines 214. The cluster engines 214 return the requested serialnumber information, in step 724, and the management application 212 canthen verify, or authenticate in step 726, the serial number within theattach request. Upon successful verification, the management activates,in step 728, the ONA within the SDN engines 210 which then, in step 730,instructs the ODL component 206 to enable LLDP for the ONA 110. Once theODL component enables LLDP for the ONA 110, in step 732, the SDN engines210 assigns VLAN and I-SID values to the ONA 110 according to steps 734and 736.

FIG. 7B illustrates a three-step workflow for onboarding a networkdevice in accordance with the principles of the present disclosure. Theflowchart of FIG. 7B looks at the process described herein at thesystem-wide level as involving a general three-step workflow of how toon-board a new ONA onto the network by actions performed by a customerand not relying on installing PKI certificates on each ONA during themanufacturing process. The first step, step 750, involves a physicalstep in which the MAC address and serial number of the ONA are captured,for example, by a QR reader and added to the databases maintained by theSDN controller. Step 752, a second step, relates to a PKI generation andcertificate exchange during the initial boot of the ONA when it hasfirst been attached to the network. The public and private keys for theONA are generated in such a way that each ONA will have a unique privatekey. As the initial boot process continues, the ONA and the SDNcontroller exchange messages using an augmented version of NETCONF toprovide the ONA public key to the SDN controller. The SDN controlleracts as a certificate authority, signs the public key and returns thesigned certificate to the ONA. As the final step in the three-stepprocess, the ONA can, in step 754, first authenticate an OpenFlowsession and a NETCONF session using the signed certificate. Uponsuccessful authentication using the signed certificate, the ONA can beauthenticated by the OpenDaylight component using the ONA's serialnumber. At this stage, the ONA can be set as active and that statusreflected in a management application used by the customer.

FIG. 8 illustrates an example YANG tree of a network adapter inaccordance with the principles of the present disclosure.

FIG. 9-FIG. 14 illustrate examples of NETCONF messages that facilitatean exchange of public key infrastructure (PKI) certificates inaccordance with the principles of the present disclosure.

Computer Technology

Referring to FIG. 15, a block diagram of a data processing system isdepicted in accordance with the present disclosure. A data processingsystem 1500, such as may be utilized to implement the methods, thealgorithms, the computers or aspects thereof, e.g., as set out ingreater detail in FIG. 1-FIG. 14, may comprise a symmetricmultiprocessor (SMP) system or other configuration including a pluralityof processors 1502 connected to system bus 1504. Alternatively, a singleprocessor 1502 may be employed. Also connected to system bus 1504 ismemory controller/cache 1506, which provides an interface to localmemory 1508. An I/O bridge 1510 is connected to the system bus 1504 andprovides an interface to an I/O bus 1512. The I/O bus may be utilized tosupport one or more busses and corresponding devices 1514, such as busbridges, input output devices (I/O devices), storage, network adapters,etc. Network adapters may also be coupled to the system to enable thedata processing system to become coupled to other data processingsystems or remote printers or storage devices through interveningprivate or public networks.

Also connected to the I/O bus may be devices such as a graphics adapter1516, storage 1518 and a computer usable storage medium 1520 havingcomputer usable program code embodied thereon. The computer usableprogram code may be executed to execute any aspect of the presentdisclosure, for example, to implement aspect of any of the methods,computer program products and/or system components illustrated in FIG.1-FIG. 14.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousaspects of the present disclosure. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions.

As will be appreciated by one skilled in the art, aspects of the presentdisclosure may be illustrated and described herein in any of a number ofpatentable classes or context including any new and useful process,machine, manufacture, or composition of matter, or any new and usefulimprovement thereof. Accordingly, aspects of the present disclosure maybe implemented entirely hardware, entirely software (including firmware,resident software, micro-code, etc.) or combining software and hardwareimplementation that may all generally be referred to herein as a“circuit,” “module,” “component,” or “system.” Furthermore, aspects ofthe present disclosure may take the form of a computer program productembodied in one or more computer readable media having computer readableprogram code embodied thereon.

Any combination of one or more computer readable media may be utilized.The computer readable media may be a computer readable signal medium ora computer readable storage medium. A computer readable storage mediummay be, for example, but not limited to, an electronic, magnetic,optical, electromagnetic, or semiconductor system, apparatus, or device,or any suitable combination of the foregoing. More specific examples (anon-exhaustive list) of the computer readable storage medium wouldinclude the following: a portable computer diskette, a hard disk, arandom access memory (RAM), a read-only memory (ROM), an erasableprogrammable read-only memory (EPROM or Flash memory), an appropriateoptical fiber with a repeater, a portable compact disc read-only memory(CD-ROM), an optical storage device, a magnetic storage device, or anysuitable combination of the foregoing. In the context of this document,a computer readable storage medium may be any tangible medium that cancontain, or store a program for use by or in connection with aninstruction execution system, apparatus, or device.

A computer readable signal medium may include a propagated data signalwith computer readable program code embodied therein, for example, inbaseband or as part of a carrier wave. Such a propagated signal may takeany of a variety of forms, including, but not limited to,electro-magnetic, optical, or any suitable combination thereof. Acomputer readable signal medium may be any computer readable medium thatis not a computer readable storage medium and that can communicate,propagate, or transport a program for use by or in connection with aninstruction execution system, apparatus, or device. Program codeembodied on a computer readable signal medium may be transmitted usingany appropriate medium, including but not limited to wireless, wireline,optical fiber cable, RF, etc., or any suitable combination of theforegoing.

Computer program code for carrying out operations for aspects of thepresent disclosure may be written in any combination of one or moreprogramming languages, including an object oriented programming languagesuch as Java, Scala, Smalltalk, Eiffel, JADE, Emerald, C++, CII, VB.NET,Python or the like, conventional procedural programming languages, suchas the “c” programming language, Visual Basic, Fortran 2003, Perl, COBOL2002, PHP, ABAP, dynamic programming languages such as Python, Ruby andGroovy, or other programming languages. The program code may executeentirely on the user's computer, partly on the user's computer, as astand-alone software package, partly on the user's computer and partlyon a remote computer or entirely on the remote computer or server. Inthe latter scenario, the remote computer may be connected to the user'scomputer through any type of network, including a local area network(LAN) or a wide area network (WAN), or the connection may be made to anexternal computer (for example, through the Internet using an InternetService Provider) or in a cloud computing environment or offered as aservice such as a Software as a Service (SaaS).

Aspects of the present disclosure are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatuses(systems) and computer program products according to embodiments of thedisclosure. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer program instructions. These computer program instructions maybe provided to a processor of a general purpose computer, specialpurpose computer, or other programmable data processing apparatus toproduce a machine, such that the instructions, which execute via theprocessor of the computer or other programmable instruction executionapparatus, create a mechanism for implementing the functions/actsspecified in the flowchart and/or block diagram block or blocks.

These computer program instructions may also be stored in a computerreadable medium that when executed can direct a computer, otherprogrammable data processing apparatus, or other devices to function ina particular manner, such that the instructions when stored in thecomputer readable medium produce an article of manufacture includinginstructions which when executed, cause a computer to implement thefunction/act specified in the flowchart and/or block diagram block orblocks. The computer program instructions may also be loaded onto acomputer, other programmable instruction execution apparatus, or otherdevices to cause a series of operational steps to be performed on thecomputer, other programmable apparatuses or other devices to produce acomputer implemented process such that the instructions which execute onthe computer or other programmable apparatus provide processes forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks.

While the exemplary embodiments illustrated herein show the variouscomponents of the system collocated, certain components of the systemcan be located remotely, at distant portions of a distributed network,such as a LAN and/or the Internet, or within a dedicated system. Thus,it should be appreciated, that the components of the system can becombined into one or more devices, such as a switch, server, and/oradjunct, or collocated on a particular node of a distributed network,such as an analog and/or digital telecommunications network, apacket-switch network, or a circuit-switched network. It will beappreciated from the preceding description, and for reasons ofcomputational efficiency, that the components of the system can bearranged at any location within a distributed network of componentswithout affecting the operation of the system. For example, the variouscomponents can be located in a switch such as a PBX and media server,gateway, in one or more communications devices, at one or more users'premises, or some combination thereof. Similarly, one or more functionalportions of the system could be distributed between a telecommunicationsdevice(s) and an associated computing device.

Furthermore, it should be appreciated that the various links connectingthe elements can be wired or wireless links, or any combination thereof,or any other known or later developed element(s) that is capable ofsupplying and/or communicating data to and from the connected elements.These wired or wireless links can also be secure links and may becapable of communicating encrypted information. Transmission media usedas links, for example, can be any suitable carrier for electricalsignals, including coaxial cables, copper wire and fiber optics, and maytake the form of acoustic or light waves, such as those generated duringradio-wave and infra-red data communications.

Also, while the flowcharts have been discussed and illustrated inrelation to a particular sequence of events, it should be appreciatedthat changes, additions, and omissions to this sequence can occurwithout materially affecting the operation of the disclosure.

A number of variations and modifications of the disclosure can be used.It would be possible to provide for some features of the disclosurewithout providing others.

For example in one alternative embodiment, the systems and methods ofthis disclosure can be implemented in conjunction with a special purposecomputer, a programmed microprocessor or microcontroller and peripheralintegrated circuit element(s), an ASIC or other integrated circuit, adigital signal processor, a hard-wired electronic or logic circuit suchas discrete element circuit, a programmable logic device or gate arraysuch as PLD, PLA, FPGA, PAL, special purpose computer, any comparablemeans, or the like. In general, any device(s) or means capable ofimplementing the methodology illustrated herein can be used to implementthe various aspects of this disclosure. Exemplary hardware that can beused for the present disclosure includes computers, handheld devices,telephones (e.g., cellular, Internet enabled, digital, analog, hybrids,and others), and other hardware known in the art. Some of these devicesinclude processors (e.g., a single or multiple microprocessors), memory,nonvolatile storage, input devices, and output devices. Furthermore,alternative software implementations including, but not limited to,distributed processing or component/object distributed processing,parallel processing, or virtual machine processing can also beconstructed to implement the methods described herein.

Although the present disclosure describes components and functionsimplemented in the embodiments with reference to particular standardsand protocols, the disclosure is not limited to such standards andprotocols. Other similar standards and protocols not mentioned hereinare in existence and are considered to be included in the presentdisclosure. Moreover, the standards and protocols mentioned herein andother similar standards and protocols not mentioned herein areperiodically superseded by faster or more effective equivalents havingessentially the same functions. Such replacement standards and protocolshaving the same functions are considered equivalents included in thepresent disclosure.

CONCLUSION

While the foregoing is directed to embodiments of the presentdisclosure, other and further embodiments of the present disclosure maybe devised without departing from the basic scope thereof. It isunderstood that various embodiments described herein may be utilized incombination with any other embodiment described, without departing fromthe scope contained herein. Further, the foregoing description is notintended to be exhaustive or to limit the present disclosure to theprecise form disclosed. Modifications and variations are possible inlight of the above teachings or may be acquired from practice of thepresent disclosure.

The invention claimed is:
 1. A computer implemented method forgenerating PKI credentials for authenticating a networking applianceattempting to attach to a network, comprising: sending, by the computer,to the networking appliance an instruction to generate a certificatesigning request (CSR); receiving, by the computer, the certificatesigning request (CSR) from the networking appliance, wherein the CSRcomprises credential data associated with an identity of the networkingappliance; generating, by the computer, an appliance certificate basedon the credential data and a certificate authority (CA) certificateassociated with the computer; and returning, by the computer, theappliance certificate to the networking appliance, wherein returning theappliance certificate comprises generating a NETCONF messageencapsulating the appliance certificate.
 2. The method of claim 1,wherein the credential data comprises identity data encrypted using aprivate key associated with the networking appliance.
 3. The method ofclaim 2, wherein the credential data comprises a public key associatedwith the private key.
 4. The method of claim 1, wherein the CSR isencapsulated in a NETCONF message.
 5. The method of claim 1, wherein thenetworking appliance comprises a virtual switch.
 6. The method of claim1, comprising: saving, by the computer, the appliance certificate in adatabase accessible by the computer.
 7. The method of claim 1,comprising: saving, by the computer, the CSR in a database accessible bythe computer.
 8. The method of claim 1, wherein the computer comprises asoftware-defined-networking controller.
 9. A system for generating PKIcredentials for authenticating a networking appliance attempting toattach to a network, comprising: a memory device storing executableinstructions; and a processor in communication with the memory device,wherein executing the executable instructions by the processor causesthe processor to: send to the networking appliance an instruction togenerate a certificate signing request (CSR); receive the certificatesigning request (CSR) from the networking appliance, wherein the CSRcomprises credential data associated with an identity of the networkingappliance; generate an appliance certificate based on the credentialdata and a certificate authority (CA) certificate associated with thecomputer; and return the appliance certificate to the networkingappliance, wherein returning the appliance certificate comprisesgenerating a NETCONF message encapsulating the appliance certificate.10. The system of claim 9, wherein the credential data comprisesidentity data encrypted using a private key associated with thenetworking appliance.
 11. The system of claim 10, wherein the credentialdata comprises a public key associated with the private key.
 12. Thesystem of claim 9, wherein the CSR is encapsulated in a NETCONF message.13. The system of claim 9, wherein the networking appliance comprises avirtual switch.
 14. The system of claim 9, wherein executing theexecutable instructions by the processor causes the processor to: savethe appliance certificate in a database accessible by the processor. 15.The system of claim 9, wherein executing the executable instructions bythe processor causes the processor to: save the CSR in a databaseaccessible by the processor.
 16. The system of claim 9, comprising asoftware-defined-networking controller.
 17. A computer implementedmethod for generating PKI credentials for authenticating a networkingappliance attempting to attach to a network, comprising: sending, by thecomputer, to the networking appliance an instruction to generate acertificate signing request (CSR); receiving, by the computer, thecertificate signing request (CSR) from the networking appliance, whereinthe CSR comprises credential data associated with an identity of thenetworking appliance and wherein the CSR is encapsulated in a NETCONFmessage; generating, by the computer, an appliance certificate based onthe credential data and a certificate authority (CA) certificateassociated with the computer; and returning, by the computer, theappliance certificate to the networking appliance.
 18. A system forgenerating PKI credentials for authenticating a networking applianceattempting to attach to a network, comprising: a memory device storingexecutable instructions; and a processor in communication with thememory device, wherein executing the executable instructions by theprocessor causes the processor to: send to the networking appliance aninstruction to generate a certificate signing request (CSR) wherein theCSR is encapsulated in a NETCONF message; receive the certificatesigning request (CSR) from the networking appliance, wherein the CSRcomprises credential data associated with an identity of the networkingappliance; generate an appliance certificate based on the credentialdata and a certificate authority (CA) certificate associated with thecomputer; and return the appliance certificate to the networkingappliance.